1SHOREWALL-NAMES(5)            Configuration Files           SHOREWALL-NAMES(5)
2
3
4

NAME

6       names - Shorewall object names
7

DESCRIPTION

9       When you define an object in Shorewall (Zone[1], Logical Interface,
10       ipsets[2], Actions[3], etc., you give it a name. Shorewall names start
11       with a letter and consist of letters, digits or underscores ("_").
12       Except for Zone names, Shorewall does not impose a limit on name
13       length.
14
15       When an ipset is referenced, the name must be preceded by a plus sign
16       ("+").
17
18       The last character of an interface may also be a plus sign to indicate
19       a wildcard name.
20
21       Physical interface names match names shown by 'ip link ls'; if the name
22       includes an at sign ("@"), do not include that character or any
23       character that follows. For example, "sit1@NONE" is referred to as
24       simply 'sit1".
25

ZONE AND CHAIN NAMES

27       For a pair of zones, Shorewall creates two Netfilter chains; one for
28       connections in each direction. The names of these chains are formed by
29       separating the names of the two zones by either "2" or "-".
30
31       Example: Traffic from zone A to zone B would go through chain A2B
32       (think "A to B") or "A-B".
33
34       In Shorewall 4.6, the default separator is "-" but you can override
35       that by setting ZONE_SEPARATOR="2" in shorewall.conf[4] (5).
36
37           Note
38           Prior to Shorewall 4.6, the default separator was "2".
39
40       Zones themselves have names that begin with a letter and are composed
41       of letters, numerals, and "_". The maximum length of a name is
42       dependent on the setting of LOGFORMAT in shorewall.conf[4] (5). See
43       shorewall-zones[1] (5) for details.
44

USING DNS NAMES

46           Caution
47           I personally recommend strongly against using DNS names in
48           Shorewall configuration files. If you use DNS names and you are
49           called out of bed at 2:00AM because Shorewall won't start as a
50           result of DNS problems then don't say that you were not forewarned.
51
52       Host addresses in Shorewall configuration files may be specified as
53       either IP addresses or DNS Names.
54
55       DNS names in iptables rules aren't nearly as useful as they first
56       appear. When a DNS name appears in a rule, the iptables utility
57       resolves the name to one or more IP addresses and inserts those
58       addresses into the rule. So changes in the DNS->IP address relationship
59       that occur after the firewall has started have absolutely no effect on
60       the firewall's rule set.
61
62       For some sites, using DNS names is very risky. Here's an example:
63
64           teastep@ursa:~$ dig pop.gmail.com
65
66           ; <<>> DiG 9.4.2-P1 <<>> pop.gmail.com
67           ;; global options:  printcmd
68           ;; Got answer:
69           ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1774
70           ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 7, ADDITIONAL: 0
71
72           ;; QUESTION SECTION:
73           ;pop.gmail.com.               IN A
74
75           ;; ANSWER SECTION:
76           pop.gmail.com.          300   IN CNAME gmail-pop.l.google.com.
77           gmail-pop.l.google.com. 300   IN A     209.85.201.109
78           gmail-pop.l.google.com. 300   IN A     209.85.201.111
79
80       Note that the TTL is 300 -- 300 seconds is only 5 minutes. So five
81       minutes later, the answer may change!
82
83       So this rule may work for five minutes then suddently stop working:
84
85           #ACTION        SOURCE               DEST              PROTO             DPORT
86           POP(ACCEPT)    loc                  net:pop.gmail.com
87
88       There are two options in shorewall[6].conf(5)[4] that affect the use of
89       DNS names in Shorewall[6] config files:
90
91       ·   DEFER_DNS_RESOLUTION - When set to No, DNS names are resolved at
92           compile time; when set to Yes, DNS Names are resolved at runtime.
93
94       ·   AUTOMAKE - When set to Yes, start, restart and reload only result
95           in compilation if one of the files on the CONFIG_PATH has changed
96           since the the last compilation.
97
98       So by setting AUTOMAKE=Yes, and DEFER_DNS_RESOLUTION=No, compilation
99       will only take place at boot time if a change had been make to the
100       config but no restart or reload had taken place. This is clearly
101       spelled out in the shorewall.conf manpage. So with these settings, so
102       long as a 'reload' or 'restart' takes place after the Shorewall
103       configuration is changes, there should be no DNS-related problems at
104       boot time.
105
106           Important
107           When DEFER_DNS_RESOLUTION=No and AUTOMAKE=Yes and a DNS change
108           makes it necessary to recompile an existing firewall script, the -c
109           option must be used with the reload or restart command to force
110           recompilation.
111
112       If your firewall rules include DNS names then, even if
113       DEFER_DNS_RESOLUTION=No and AUTOMAKE=Yes:
114
115       ·   If your /etc/resolv.confis wrong then your firewall may not start.
116
117       ·   If your /etc/nsswitch.conf is wrong then your firewall may not
118           start.
119
120       ·   If your Name Server(s) is(are) down then your firewall may not
121           start.
122
123       ·   If your startup scripts try to start your firewall before starting
124           your DNS server then your firewall may not start.
125
126       ·   Factors totally outside your control (your ISP's router is down for
127           example), can prevent your firewall from starting.
128
129       ·   You must bring up your network interfaces prior to starting your
130           firewall, or the firewall may not start.
131
132       Each DNS name must be fully qualified and include a minimum of two
133       periods (although one may be trailing). This restriction is imposed by
134       Shorewall to insure backward compatibility with existing configuration
135       files.
136
137       Example 1. Valid DNS Names
138
139       ·   mail.shorewall.net
140
141       ·   shorewall.net. (note the trailing period).
142
143       Example 2. Invalid DNS Names
144
145       ·   mail (not fully qualified)
146
147       ·   shorewall.net (only one period)
148
149       DNS names may not be used as:
150
151       ·   The server address in a DNAT rule (/etc/shorewall/rules file)
152
153       ·   In the ADDRESS column of an entry in /etc/shorewall/masq.
154
155       ·
156
157       ·   In the /etc/shorewall/nat file.
158
159       These restrictions are imposed by Netfilter and not by Shorewall.
160

LOGICAL INTERFACE NAMES

162       When dealing with a complex configuration, it is often awkward to use
163       physical interface names in the Shorewall configuration.
164
165       ·   You need to remember which interface is which.
166
167       ·   If you move the configuration to another firewall, the interface
168           names might not be the same.
169
170       Beginning with Shorewall 4.4.4, you can use logical interface names
171       which are mapped to the actual interface using the physical option in
172       shorewall-interfaces[5] (5).
173
174       Here is an example:
175
176           #ZONE  INTERFACE  OPTIONS
177           net    COM_IF     dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,physical=eth0
178           net    EXT_IF     dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,physical=eth2
179           loc    INT_IF     dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,physical=eth1
180           dmz    VPS_IF     logmartians=1,routefilter=0,routeback,physical=venet0
181           loc    TUN_IF     physical=tun+
182
183       In this example, COM_IF is a logical interface name that refers to
184       Ethernet interface eth0, EXT_IF is a logical interface name that refers
185       to Ethernet interface eth2, and so on.
186
187       Here are a couple of more files from the same configuration:
188
189       shorewall-masq[6] (5):
190
191           #INTERFACE SOURCE                    ADDRESS
192
193           COMMENT Masquerade Local Network
194           COM_IF     0.0.0.0/0
195           EXT_IF     !206.124.146.0/24         206.124.146.179:persistent
196
197       shorewall-providers[7] (5)
198
199           #NAME   NUMBER   MARK    DUPLICATE  INTERFACE  GATEWAY         OPTIONS               COPY
200           Avvanta 1        0x10000 main       EXT_IF     206.124.146.254 loose,fallback        INT_IF,VPS_IF,TUN_IF
201           Comcast 2        0x20000 main       COM_IF     detect          balance               INT_IF,VPS_IF,TUN_IF
202
203       Note in particular that Shorewall translates TUN_IF to tun* in the COPY
204       column.
205

NOTES

207        1. Zone
208           https://shorewall.org/manpages/shorewall-zones.html
209
210        2. ipsets
211           https://shorewall.org/manpages/ipsets.html
212
213        3. Actions
214           https://shorewall.org/manpages/Actions.html
215
216        4. shorewall.conf
217           https://shorewall.org/manpages/shorewall.conf.html
218
219        5. shorewall-interfaces
220           https://shorewall.org/manpages/shorewall-interfaces.html
221
222        6. shorewall-masq
223           https://shorewall.org/manpages/shorewall-masq.html
224
225        7. shorewall-providers
226           https://shorewall.org/manpages/shorewall-providers.html
227
228
229
230Configuration Files               07/29/2020                SHOREWALL-NAMES(5)
Impressum